<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=text/html;charset=iso-8859-1 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7100.4129"></HEAD>
<BODY
style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; WORD-WRAP: break-word; PADDING-TOP: 15px; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space"
id=MailContainerBody leftMargin=0 topMargin=0 CanvasTabStop="true"
name="Compose message area">
<DIV><FONT face=Calibri>The second solution seems the most likely to meet real
requirements so long as this OpenID signout could carry an enumerable set of
endpoints that could be easily called to close the session.</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>/steven</FONT></DIV>
<DIV><FONT face=Calibri><A
href="http://livz.org">http://livz.org</A></FONT></DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><FONT size=3 face=Calibri></FONT><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=jonathan.coffman@gmail.com
href="mailto:jonathan.coffman@gmail.com">Jonathan Coffman</A> </DIV>
<DIV><B>Sent:</B> Tuesday, September 29, 2009 11:43 PM</DIV>
<DIV><B>To:</B> <A title=general@openid.net
href="mailto:general@openid.net">general@openid.net</A> </DIV>
<DIV><B>Subject:</B> [OpenID] Logout Use Case</DIV></DIV></DIV>
<DIV><BR></DIV>Hey there folks, I'd like to start a conversation around how
OpenID might be able to facilitate logout more gracefully. Should I enter my
use-case onto the wiki somewhere?
<DIV><BR></DIV>
<DIV>Just to whet your whistle, here's a summary:</DIV>
<DIV><BR></DIV>
<DIV>- We're using OpenID for federated identity and SSO for a network of
micro-sites.</DIV>
<DIV>- Some of those micro-sites live at the same domain, but in different
directories, and utilize a multitude of web technologies (php, flat-files,
django, plone, etc)</DIV>
<DIV>- Other micro-sites are on their own domains.</DIV>
<DIV><BR></DIV>
<DIV>Because a large percentage of our RPs (the micro-sites) actually live on
the same domain, but on varying infrastructure and technologies it's confusing
to the user that when they log-in, they're logged in across the network -- but
when logging out they're only logged out from an individual RP.</DIV>
<DIV><BR></DIV>
<DIV>As far as potential solutions, we've come up with a couple of different
technical options:</DIV>
<DIV>- RP1 sends a logout command to the OP which destroys the RP1 and OP
session. However, the user may still be logged in locally at RP2 (RP2 could also
poll to check if the user is still logged in at the OP at a set schedule)</DIV>
<DIV><BR></DIV>
<DIV><B>or</B></DIV>
<DIV><BR></DIV>
<DIV>- OP maintains a list of RPs the user is currently logged in to and upon
RP1 killing it's local session and pinging the OP, the OP then 'pushes' a
message out to all of the other RPs instructing them to kill the user's
session.</DIV>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV>- Jonathan Coffman</DIV>
<DIV>@jdcoffman</DIV>
<DIV><BR></DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>general mailing
list<BR>general@lists.openid.net<BR>http://lists.openid.net/mailman/listinfo/openid-general<BR></BODY></HTML>